PCASTLE

What is PCASTLE?

Some malware threats are very visible, and some can remain hidden for a very long time. PCASTLE is a security threat that will not manifest immediately. It can also remain hidden because it doesn’t bring a payload that can significantly slow down your system. Therefore, the best way to detect PCASTLE is to scan your system regularly with a legitimate security tool. If the security tool of your choice detects this infection on your computer, you need to remove PCASTLE immediately. There is also a good chance that you will have to remove several other infections too, so be prepared.

Where does PCASTLE come from?

Our research team says that this Trojan spreads through websites that have vulnerable flash plug-ins. Thus, if you often find yourself on shady websites that employ a lot of flash plug-ins, do not be surprised if you get infected with PCASTLE one day.

There are several levels to this infection. First, we have to have a program that has already been infected (presumably through the vulnerable flash plug-in). The infection system connects to a remote server to execute a scheduled task or a RunOnce registry key. These tasks launch a download for the first layer of the PowerShell script that creates more scheduled tasks. There are two more layers of the PowerShell script that get downloaded like that, and eventually, it installs the Xmrig miner that mines the Monero cryptocurrency on the affected system.

Is there anything a regular user can do about PCASTLE? Caution is probably the best policy. Also, security experts maintain that you need to make sure your antivirus software is always up to date. If possible, you should block URL addresses that are deemed to be unsafe by the firewall, and you should also always update all of your software regularly. The latest patch versions tend to fix vulnerabilities that can be exploited by cyber criminals.

What does PCASTLE do?

Technically, PCASTLE doesn’t do much harm. When we think of cryptocurrency mining, we often imagine sluggish systems that have been taken over my Trojan infections. These Trojan infections use so much system resources that the machine cannot run properly anymore. At least this is how users realize that something is wrong.

PCASTLE, on the other hand, and XMrig that it installs do not take much of system resources to run. As a result, this intruder can remain on the affected system for a very long time. Also, it is very likely that this Trojan will infect corporate computer systems as opposed to individual desktops.

Also, research shows that this file-less Trojan infection campaign mostly targets computer systems in China. Based on various reports, up to 92% of the PCASTLE detections were made in China. It doesn’t look like this Trojan targets one specific industry. Some of the methods that it uses to spread around cannot be considered to be industry-specific.

Researchers have always found this PCASTLE uses two main domains with several other sub-domains for various purposes. The latest security applications already know that they have to block zer2.com and down.ackng.com. The former is used by PCASTLE to download the several layers of the previously mentioned PowerShell scripts, and the latter one is used to download the XMrig miner.

One of the things that should be pointed out is that PCASTLE uses the EternalBlue exploit to spread around. This is a notorious exploit that was employed by the infamous WannaCry Ransomware that rocked the world in 2017. From this, we can see that certain aspects of malware propagation can be recycled, and security specialists still have a long way to go to prevent such infections from being developed.

How do I remove PCASTLE?

Although this Trojan is called a file-less infection, there are still certain things on your system you can delete when you are ready to remove PCASTLE. However, we would like to point out that the best way to deal with this Trojan is to remove it automatically. There is always a good chance that you have more potential threats on-board, and a full system scan with a security tool would clear those doubts. Not to mention that by investing in a licensed antispyware application, you would be ready to deal with the likes of PCASTLE in the future, too.

Manual PCASTLE Removal

1. Press Win+R and the Run prompt will open.
2. Type %WINDIR% into the Open box. Click OK.
3. Open System32\config\systemprofile\appdata\roaming\microsoft.
4. Delete the cred.ps1 file and press Win+R once more.
5. Type %LocalAppData% and click OK.
6. Delete the following files files:
   kkk1.log
   pp2.log
   333.log
   kk4.log
   kk5.log
7. Scan your system with SpyHunter. Download Removal Tool100% FREE spyware scan and
   tested removal of PCASTLE*